Macintosh-HW
/
RASCSI
mirror of https://github.com/akuker/RASCSI.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Improve invalid path error handling, and escape single quotes in JS (#1174)

This commit is contained in:
Daniel Markstedt 2023-05-21 15:32:19 -07:00 committed by GitHub
parent fa475d8b12
commit 1ce6fd1d55
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 14 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
python/web/src/templates/index.html
View File

@ -341,17 +341,17 @@
<input type="submit" value="{{ _("Attach") }}" title="{{ _("Attach") }}">
{% endif %}
</form>
<form action="/files/rename" method="post" class="file-rename" onsubmit="var new_file_name = prompt('{{ _("Enter new file name for: %(file_name)s", file_name=file["name"]) }}', '{{ file['name'] }}'); if (new_file_name === null) event.preventDefault(); document.getElementById('new_file_name_{{ subdir }}_{{ loop.index }}').value = new_file_name;">
<form action="/files/rename" method="post" class="file-rename" onsubmit="var new_file_name = prompt('{{ _("Enter a new file name:") }}', '{{ file["name"]|replace("'", "\\'") }}'); if (new_file_name === null) event.preventDefault(); document.getElementById('new_file_name_{{ subdir }}_{{ loop.index }}').value = new_file_name;">
<input name="file_name" type="hidden" value="{{ file['name'] }}">
<input name="new_file_name" id="new_file_name_{{ subdir }}_{{ loop.index }}" type="hidden" value="">
<input type="submit" value="{{ _("Rename") }}" title="{{ _("Rename") }}">
</form>
<form action="/files/copy" method="post" class="file-copy" onsubmit="var copy_file_name = prompt('{{ _("Save copy of %(file_name)s as:", file_name=file["name"]) }}', '{{ file['name'] }}'); if (copy_file_name === null) event.preventDefault(); document.getElementById('copy_file_name_{{ subdir }}_{{ loop.index }}').value = copy_file_name;">
<form action="/files/copy" method="post" class="file-copy" onsubmit="var copy_file_name = prompt('{{ _("Enter a file name for the copy:") }}', '{{ file["name"]|replace("'", "\\'") }}'); if (copy_file_name === null) event.preventDefault(); document.getElementById('copy_file_name_{{ subdir }}_{{ loop.index }}').value = copy_file_name;">
<input name="file_name" type="hidden" value="{{ file['name'] }}">
<input name="copy_file_name" id="copy_file_name_{{ subdir }}_{{ loop.index }}" type="hidden" value="">
<input type="submit" value="{{ _("Copy") }}" title="{{ _("Copy") }}">
</form>
<form action="/files/delete" method="post" class="file-delete" onsubmit="return confirm('{{ _("Delete file: %(file_name)s?", file_name=file["name"]) }}')">
<form action="/files/delete" method="post" class="file-delete" onsubmit="return confirm('{{ _("Delete file: %(file_name)s?", file_name=file["name"]|replace("'", "\\'")) }}')">
<input name="file_name" type="hidden" value="{{ file['name'] }}">
<input type="submit" value="{{ _("Delete") }}" title="{{ _("Delete") }}">
</form>

16
python/web/src/web_utils.py
View File

@ -300,11 +300,17 @@ def is_safe_path(file_name):
Returns True if the path is safe
Returns False if the path is either absolute, or tries to traverse the file system
"""
if file_name.is_absolute() or ".." in str(file_name) or str(file_name)[0] == "~":
return {
"status": False,
"msg": _("No permission to use path '%(file_name)s'", file_name=file_name),
}
error_message = ""
if file_name.is_absolute():
error_message = _("Path must not be absolute")
elif "../" in str(file_name):
error_message = _("Path must not traverse the file system")
elif str(file_name)[0] == "~":
error_message = _("Path must not start in the home directory")
if error_message:
logging.error("Not an allowed path: %s", str(file_name))
return {"status": False, "msg": error_message}
return {"status": True, "msg": ""}